OpenAjax Alliance tightens mashup security

The group said that security improvements would help firms protect applications against external attacks, and hopes that this reassurance will encourage more development and adoption of such applications on enterprise web sites.

"OpenAjax Hub 2.0 is a major step forward for the OpenAjax Alliance towards its mission of promoting Ajax interoperability," said David Boloker, OpenAjax Alliance steering committee chairman, and chief technology officer for emerging internet technology at IBM.

"In order to realise the potential for mashups across the industry, there needs to be standards. Hub 2.0 defines a key industry standard for how widgets can be isolated into secure containers, and then how widgets can talk to each other through a mediated messaging bus."

Any third-party widgets are split off into secure areas and monitored by a security manager, the group said. Because the widgets are isolated, any risk that they present is mitigated, and security attacks or weaknesses are isolated to that area only. Other features include interoperability features and a test suite for applications.

"With OpenAjax Hub 2.0, users or administrators can isolate untrusted third-party widgets into secure sandboxes, preventing information stealing and other malicious acts. The net result is that mashup users can combine company and internal widgets with third-party widgets without compromising security."